Profile Applicability:
Level 1

Description:
 Audit log files contain sensitive security and system activity information. Setting permissions to 0640 or more restrictive limits access to the file owner and group, preventing unauthorized users from reading or modifying audit logs.

Rationale:
 Restricting permissions on audit log files protects the confidentiality and integrity of audit data, reducing the risk of tampering or unauthorized disclosure.

Impact:
 Pros:

  • Protects audit logs from unauthorized access.

  • Maintains reliability and confidentiality of security events.

Cons:

  • Overly restrictive permissions might interfere with legitimate access by audit services.


Default Value:
 Permissions on audit log files may vary; verification and adjustment may be necessary.

Pre-requisites:

  • Root or sudo privileges to audit and modify file permissions.

Remediation:

Test Plan:

Using Linux command line:

  1. Check permissions of audit log files:

    ls -l /var/log/audit/

  2. Identify files with permissions more permissive than 0640:

    find /var/log/audit/ -type f ! -perm -640

  3. Verify none or only necessary files have more permissive modes.

Implementation Plan:

Using Linux command line:

  1. Set permissions to 0640 or more restrictive:

    chmod 640 /var/log/audit/*

  2. Apply recursively if needed:

    chmod -R 640 /var/log/audit/

  3. Verify changes:

    ls -l /var/log/audit/


Backout Plan:

Using Linux command line:

  1. Restore previous permissions from backups if necessary.

  2. Confirm audit services can read and write logs as needed.

References: